Secure remote subscription module access

ABSTRACT

Disclosed is a method of granting a client communications terminal access to a subscription module of a server communications terminal, the method comprising the steps of establishing a communications link between the client communications terminal and the server communications terminal; communicating data related to the subscription module between the server communications terminal and the client communications terminal via the communications link; authenticating the client communications terminal by the subscription module using a key-based authentication procedure; and initiating the step of communicating data related to the subscription module conditioned on a result of the step of authenticating the client communications device. The present invention further relates to an arrangement for granting access to a subscription module in a communications system. The present invention also relates to a server communications terminal comprising a subscription module, a client communications terminal and a subscription module.

[0001] This invention relates to a method of granting a clientcommunications terminal access to a subscription module of a servercommunications terminal. The present invention further relates to anarrangement for granting access to a subscription module in acommunications system. The present invention also relates to a servercommunications terminal comprising a subscription module, a clientcommunications terminal and a subscription module.

[0002] In many wireless communications systems, communications terminalsare equipped with a subscription module. When a subscriber requests acommunication service it is determined, via said subscription module,whether the subscriber is qualified to receive communication serviceswhich the system provides. For this purpose, a subscriber identity isassigned to a terminal in a wireless communications system which uses asubscriber identity media. In order to get access to the communicationsservices, the communications terminal needs to have access to securitysensitive information which is unique to the subscription and which isstored in the subscription module.

[0003] The term communications terminal includes all portable radiocommunications equipment to which a subscriber identity is assigned,such as a mobile telephone, a communicator, an electronic organiser, apersonal digital assistant (PDA), or the like. The wirelesscommunications system may, for instance, be any cellular mobile phonesystem such as GSM (Global System for Mobile Communications) or anysatellite telecommunication system.

[0004] In the context of GSM, subscription is based on a SIM (subscriberidentity module) card, i.e. the subscription module is implemented as aSIM card attached to a mobile terminal. The SIM card includes a ROM(Read Only Memory), a RAM (Read Access Memory), an EEPROM (ElectricallyErasable Programmable Read Only Memory), a processor unit and aninterface to the communications terminal. The memory of the SIM providesstorage of the subscriber identity which is the International MobileSubscriber Identity (IMSI) in a GSM network. Except for emergency calls,the terminal can only be operated, if a valid SIM is present. The SIMsupports a security function for verification of the user of theterminal and for authentication of the user to the GSM network. The SIMfurther comprises information elements for GSM network operations, e.g.related to the mobile subscriber or GSM services.

[0005] In the above described context, if a user would like to use a SIMcard, i.e. a single subscription, to connect to a wirelesscommunications network from several different personal mobile terminals,he or she needs to manually remove the SIM card from one device and putit into another device. In order to avoid this inconvenient operation itis advantageous, if the wireless communication system allows more thanone communications terminal to share the same subscriber identitywithout having to pay for more than one subscription. The internationalapplication WO 99/59360 discloses an arrangement for communicating SIMrelated data in a wireless communications system between a wirelesscommunications terminal and a subscriber identity terminal including asubscriber identity unit with a SIM card. The wireless communicationsterminal and the subscriber identity terminal are separated from eachother, but may communicate with each other via a local wirelesscommunications link within a radio frequency range. SIM related data iscommunicated over the local wireless communications link. Hence theabove prior art system allows a simplified sharing of a subscriptionmodule by several communications terminals. Instead of moving the SIMcard between different mobile terminals, direct wireless access to theSIM card over an air interface is realised. In the above prior art, thelocal wireless communications link is encrypted in order to establish asecure wireless communications link that hinders third partyinterception of sensitive information.

[0006] However, the above prior art system involves the problem that theclient terminal may be under control of a dishonest user who may misusethe gained access to the communications access. Furthermore, if thelocal wireless communications link is a link to a local wirelessnetwork, such as a Bluetooth piconet, the link between the clientterminal and the server terminal may comprise several wirelessconnections involving intermediate terminals, thereby causing thesecurity of the communications link to be difficult to control, eventhough the individual communications links may be encrypted. Hence,there is a risk of unauthorised interception and use of sensitive datarelated to the subscription module.

[0007] The above and other problems are solved when a method of grantinga client communications terminal access to a subscription module of aserver communications terminal, the method comprising the steps of

[0008] establishing a communications link between the clientcommunications terminal and the server communications terminal; and

[0009] communicating data related to the subscription module between theserver communications terminal and the client communications terminalvia the communications link

[0010] is characterized in that the method further comprises the stepsof

[0011] authenticating the client communications terminal by thesubscription module using a key-based authentication procedure; and

[0012] initiating the step of communicating data related to thesubscription module conditioned on a result of the step ofauthenticating the client communications device.

[0013] Consequently, the present invention provides a secure end-to-endauthentication between the subscription module and the clientcommunications terminal. According to the present invention, theinternal communication between the subscription module and the servercommunications terminal is protected as well as the communicationbetween the client and server communications terminals, therebyproviding protection of the entire communications path. For example,when a user of the subscription module enters a PIN in order to activatethe subscription module, this information is authenticated end-to-end,i.e. between the subscription module and the client communicationsterminal, thereby providing a considerably improved security againstunauthorised use of the sensitive information on the subscriptionmodule.

[0014] Therefore, the present invention allows a remote device tosecurely use the subscription module of another device in order to getaccess to important information or functions needed for example toconnect to a cellular network.

[0015] The communications link may be an electric link or a wirelesscommunications link, such as an elctro-magnetic, magnetic or inductivelink. Examples of electro-magnetic links include, radio-frequency links,optical links, infrared links, microwave links, ultra sound links, orthe like. For example, the communications link may be a radio linkaccording to the Bluetooth standard, i.e. a short-range wirelesstechnology that enables different units to communicate with relativelyhigh speed. Bluetooth as well as other short-range wireless technologiesmake it possible to set up fast connections between different personalcomputing devices like a mobile phone, a Personal Digital Assistance(PDA), etc.

[0016] The term communications terminal comprises any electronicequipment including communications means adapted to establish acommunications link as described above, or part of such electronicequipment. The term electronic equipment includes computers, such asstationary and portable PCs, stationary and portable radiocommunications equipment, etc. The term portable radio communicationsequipment includes mobile radio terminals such as mobile telephones,pagers, communicators, e.g. electronic organisers, smart phones, PDAs,or the like.

[0017] The term subscription module comprises modules which may beremovably inserted into a communications terminal, such as a smart card,a SIM card, a wireless identity module (WIM) card, or the like. The termsubscription module further comprises modules which are physicallyinseparable from the server communications terminal. In one embodiment,the subscription module may comprise a security unit comprising aprocessing unit for performing the authentication, and storage means forstoring one or more keys for use during authentication. The storagemeans may be an integral part of the security module, removablyinsertable, or the like.

[0018] The data communicated between the client and the servercommunications terminal may be data stored in the subscription modulewhich may be required to register the client communications terminal ina cellular network, to establish a communications connection, e.g. avoice, fax, or data call, hereafter referred to as a “call”, from theclient communications terminal, to receive a call from the networkdirected to a telephone number associated with the subscription module,to authorise payments or other transactions, access functionality orinterfaces of the server communications device, or the like. The datamay further comprise subscription authorisation data, e.g. a PIN codeentered by a user of the client communications terminal and sent to theserver communications terminal. The data may further comprise addressdata, phone books, or any other sensitive data related to thesubscription module. The communication of data may comprise thetransmission of data from the server communications terminal to theclient communications terminal and/or the transmission of data from theclient communications terminal to the server communications terminal.Hence, access to the subscription module involves access to the datarelated to the subscription module, i.e. the transmission of data to thesubscription module, the reception of data from the subscription module,or the like.

[0019] The subscription module may be able to authenticate a number ofdifferent client communications devices.

[0020] When the method further comprises the step of authenticating thesubscription module by the client communications terminal using thekey-based authentication procedure, additional security is achieved, asonly an authorised subscription module is trusted by the clientcommunications terminal. Hence, the user of the client communicationsdevice can be sure that the client communications device communicateswith the correct and trusted subscription module. This is a particularadvantage, if the user of the client communications terminal wishes tosend sensitive data to the subscription module, e.g. PIN codes, accountdata, personal data, etc.

[0021] In a preferred embodiment of the invention, the key-basedauthentication procedure is a symmetric authentication procedure basedon a first secret key stored in both the client communications terminaland the subscription module. Hence, the authentication is based on acommon shared secret between the client communications device and thesubscription module, which may be used to authenticate the clientcommunications device and/or the subscription module. It is an advantageof the embodiment, that it provides an efficient and highly securemechanism of authentication. The first secret key may be a long-livedkey, and the subscription module may be pre-configured with that key.Alternatively or additionally, a temporary secret may be used allowing aclient communications device temporary access to the subscriptionmodule. It is an advantage of the use of a symmetric key mechanism, thatit provides a high level of security even with a short key, e.g. 64 or128 bits, and with a authentication mechanism which only requires littlecomputational resources. In particular, this is an advantage, if thecommunications terminals have limited storage capacity and computationalresources or limited power supply.

[0022] When the step of communicating data related to the subscriptionmodule further comprises the step of encrypting the data using anencryption key derived from the first secret key, an end-to-endencryption of the communication between the subscription module and theclient communications terminal is achieved, thereby providing a highlevel of security of the transmitted information against misuse andinterception. It is an advantage of the invention that even the internalcommunication within the server communications device, i.e. thecommunication over the interface provided by the subscription module, isprotected. For example, when the user of the subscription module entersa PIN in order to activate the subscription module, that PIN is sent tothe subscription module in encrypted form and, thus, is protected frominterception during the entire communications, even inside the servercommunications device. This is a particularly important advantage in thecase of a modular server communications terminal where the interface ofthe subscription module is accessible by other modules or devices.Preferably, the key used for encrypting the communications is derivedfrom the first secret key where the term derived includes thepossibility of using the first secret key directly.

[0023] When the method further comprises the step of deriving anencryption key from the first secret key, the communicated data isfurther protected against unauthorised alteration. Preferably, the stepof communicating data related to the subscription module furthercomprises the step of integrity protecting the data using a key derivedfrom the first secret key.

[0024] In another preferred embodiment of the invention, the key-basedauthentication procedure is a public key-based authentication procedurewherein the subscription module has access to a public key related tothe client communications terminal. Hence, the authentication of theclient communications device is based upon a public key of the clientcommunications device which the subscription module has access to. It isan advantage of this embodiment that there is no need for a sharedsecret between the client communications terminal and the subscriptionmodule. As the security requirements for communicating a public key arelower than for a symmetric key, the subscription module may receive apublic key of the client subscription module in several different ways,thereby increasing the flexibility of the method. Furthermore, thepublic key of the client communications terminal does not need to bepermanently stored in the subscription module, thereby saving storagespace in the subscription module.

[0025] In a further preferred embodiment of the invention the methodfurther comprises the step of authenticating the subscription module bythe client communications terminal using the public key-basedauthentication procedure wherein the client communications terminal hasaccess to a public key related to the subscription module. Hence,additional security is achieved, as only an authorised subscriptionmodule is trusted by the client communications terminal. This is aparticular advantage, if the user of the client communications terminalwishes to send sensitive data to the subscription module. When the stepof authenticating the client communications terminal further comprisesthe step of exchanging between the client communications terminal andthe subscription module a second secret key for use during cryptographicprotection of the data related to the subscription module communicatedbetween the server communications terminal and the client communicationsterminal via the communications link, an end-to-end encryption of thecommunication between the subscription module and the clientcommunications terminal is achieved, thereby providing a high level ofsecurity of the transmitted information against misuse and interceptioneven during the internal communication within the server communicationsdevice, i.e. the communication over the interface provided by thesubscription module. Preferably, the step of communicating data relatedto the subscription module further comprises the step of encrypting thedata using an encryption key derived from the second secret key.

[0026] Alternatively, the encryption may be based on a asymmetricalencryption scheme using a public key and without the need for a sharedsecret.

[0027] Furthermore, when the step of communicating data related to thesubscription module further comprises the step of integrity protectingthe data using a key derived from the second secret key, thecommunicated data is further protected against unauthorised alteration.

[0028] According to another preferred embodiment of the invention, thestep of authenticating the client communications terminal furthercomprises the step of inquiring an input from a user of the servercommunications terminal indicative of an approval of the authentication.Consequently, as the communication of data to/from the subscriptionmodule requires an approval by the user of the server communicationsdevice comprising the subscription module, additional security againstmisuse or accidental use is achieved. For example, the user may press apredetermined button and/or input a PIN code in order to authorise theaccess to the subscription module.

[0029] When the step of initiating communicating data related to thesubscription module further comprises the step of performing a userauthorisation based on a PIN code stored on the subscription module,access to the data related to the subscription module may be controlledmore fine-grained, as different types of data may be associated withdifferent PIN codes, thereby providing the possibility of selectivelygranting access to parts of the data. Alternatively or additionally,different types of access, such as read, write, delete, or the like, maybe associated with different PIN codes. Hence, according to thisembodiment, a user of the client communications device is required toenter a PIN code prior to being granted access to the data.

[0030] According to a further aspect of the invention, the inventionrelates to an arrangement for granting access to a subscription modulein a communications system, the arrangement comprising a clientcommunications terminal and a server communications terminal includingthe subscription module, the client and server communications terminalseach comprising respective communications means for establishing acommunications link between the client communications terminal and theserver communications terminal, and for communicating data related tothe subscription module between the server communications terminal andthe client communications terminal via the communications link;characterised in that the subscription module further comprisesprocessing means adapted to authenticate the client communicationsterminal using a key-based authentication procedure, and to grant accessto the subscription module conditioned on a result of the authenticationprocedure.

[0031] When the communications link is a wireless communications link, afast way of establishing a communications link is provided without theneed of a physical or electrical connection between the terminals.

[0032] When the server communications terminal, the communications meansof the server communications terminal, and the subscription module arephysically included in a single unit, a particularly high level ofsecurity is provided, as the possibility of data interception and misuseis further reduced. Advantageously, the server communications terminal,a wireless interface and the subscription module may be implemented asone physically inseparable entity.

[0033] According to a further aspect of the invention, the inventionrelates to a server communications terminal comprising a subscriptionmodule and communications means for establishing a communications linkwith a client communications terminal and for communicating data relatedto the subscription module with the client communications terminal viathe communications link; characterised in that the subscription modulecomprises processing means adapted to authenticate the clientcommunications terminal using a key-based authentication procedure, andto grant access to the subscription module conditioned on a result ofthe authentication procedure.

[0034] The server communications terminal may be used as a serverterminal for a number of different client communications terminals usingthe same subscription.

[0035] According to a further aspect of the invention, the inventionrelates to a client communications terminal comprising communicationsmeans for establishing a communications link with a servercommunications terminal including a subscription module, and forcommunicating data related to the subscription module with the servercommunications terminal via the communications link; characterised inthat the client communications terminal comprises processing meansadapted to perform a key-based authentication procedure cooperativelywith the subscription module allowing the subscription module toauthenticate the client communications terminal and to grant access tothe subscription module conditioned on a result of the authenticationprocedure.

[0036] According to a further aspect of the invention, the inventionrelates to a subscription module for use with a server communicationsterminal, the server communications terminal including communicationsmeans for establishing a communications link with a clientcommunications terminal and for communicating data related to thesubscription module with the client communications terminal via thecommunications link; characterised in that the subscription modulecomprises processing means adapted to, when the subscription module isin connection with the server communications terminal, authenticate theclient communications terminal using a key-based authenticationprocedure, and to grant access to the subscription module conditioned ona result of the authentication procedure.

[0037] The subscription module may be brought into physical contactwith, e.g. inserted in, the server communications terminal, or acommunications connection may be established, e.g. by bringing thesubscription module into the range of coverage of a wirelesscommunications interface.

[0038] The term processing means comprises a programmablemicroprocessor, an application-specific integrated circuit, or anotherintegrated circuit, a smart card, or the like.

[0039] The term storage means includes magnetic tape, optical disc,digital video disk (DVD), compact disc (CD or CD-ROM), mini-disc, harddisk, floppy disk, ferro-electric memory, electrically erasableprogrammable read only memory (EEPROM), flash memory, EPROM, read onlymemory (ROM), static random access memory (SRAM), dynamic random accessmemory (DRAM), synchronous dynamic random access memory (SDRAM),ferromagnetic memory, optical storage, charge coupled devices, smartcards, PCMCIA cards, etc.

[0040] The term communications means comprises any circuit adapted toestablish the above mentioned communications link. Examples of suchcircuits include RF transmitters/receivers, e.g. Bluetooth transceivers,light emitters/receivers, e.g. LEDs, infrared sensors/emitters,ultrasound transducers, etc.

[0041] Furthermore, the features and steps of the above discussed methodaccording to the invention may be incorporated in the further aspects ofthe invention discussed above, and the advantages discussed inconnection with the above method correspond to advantages of thesefurther aspects of the invention.

[0042] The invention will be explained more fully below in connectionwith a preferred embodiment and with reference to the drawing, in which:

[0043]FIG. 1 shows a schematic view of a client communications terminaland a server communications terminal according to an embodiment of theinvention;

[0044]FIG. 2 shows a schematic view of a subscription module accordingto an embodiment of the invention;

[0045]FIG. 3 shows a schematic view of a server communications terminalaccording to an embodiment of the invention;

[0046]FIG. 4 shows a schematic view of a key table stored in asubscription module according to an embodiment of the invention;

[0047]FIG. 5 shows a flow diagram of an authentication procedureaccording to an embodiment of the invention based on a symmetric key;and

[0048]FIG. 6 shows a flow diagram of an authentication procedureaccording to an embodiment of the invention based on a public key.

[0049]FIG. 1 shows a schematic view of a client communications terminaland a server communications terminal according to an embodiment of theinvention. The client communications terminal 106 includes an aerial 113for communicating via a mobile communications network 114, e.g. a GSMnetwork. The client communications terminal further comprises circuitry107 for controlling the communications terminal, a storage medium 108, adisplay 111 and a keypad 112, or other user input/output means. Forexample, the client communications device may be a mobile telephone oranother personal communications device, such as a communicator, a PDA, apager, a car phone, or the like. Further examples of a clientcommunications device include a modem, a telefax or othertelecommunications equipment. The storage medium 108 may be a memorysection of a SIM card comprising EPROM, ROM and/or RAM sections.Alternatively, the storage medium may be a another built-in orinsertable memory, such as EEPROM, flash memory, ROM, RAM, etc.

[0050] The client communications terminal further comprises a Bluetoothtransceiver 110. Via the Bluetooth transceiver, a local radio link 115for data transmission can be established between the clientcommunications terminal and a Bluetooth transceiver 104 of a servercommunications terminal 101 when the server communications device isbrought into the connection range of the wireless local communication ofthe client communications device, or vice versa. The servercommunications terminal 101 comprises a processing unit 105 and asubscription module 102. In one embodiment, the subscription module is aSIM card comprising a processing unit, a memory including an EPROMsection, a ROM section and a RAM section and an input/output port.Hence, the server communications device has direct access to asubscription module and is physically connection to it. The servercommunications device may grant the client communications terminalaccess to the services and files of the subscription module 102. Forexample, the server communications terminal may be a mobile telephone orother personal communications equipment. Alternatively, the servercommunications device may be a special remote access device which onlyserves as an access server for different client terminals. For example,the server communications terminal may be implemented as a contactlesssmart card, e.g. a smart card with an integrated wireless communicationsinterface such as a short-range radio interface.

[0051] Hence, the client communications terminal 106 may access theservices and files of the subscription module 102 of the servercommunications terminal 101, via the radio link 115, and use theaccessed for the connection to the cellular network 114. In the above,two general roles have been described: A Remote Authentication AccessServer (RAA Server) having direct access to the subscription module, anda Remote Authentication Access Client (RAA Client) obtaining remoteaccess to the subscription module, thereby obtaining access to a numberof possible services. Hence, in the following, the client communicationsterminal will also be referred to as the RAA Client and the servercommunications terminal will be referred to as the RAA Server. Examplesof the functionality, services and data which may be accessed by the RAAClient include:

[0052] Register the RAA Client 106 in a cellular network 114 using thesubscription module 102 in the RAA Server 101.

[0053] The RAA client 106 can access data and services available in thesubscription module 102.

[0054] The RAA Server 101 may exercise access control on what servicesand data can be accessed by a RAA Client 106;

[0055] Establish a connection (i.e. a voice, fax, or data call),hereafter referred to as a “call”, from the RAA Client 106 using thesubscription module 102 in the RAA server 101;

[0056] Receiving a call from the network 114 at the RAA Client 106.

[0057] According to the invention, the subscription module 102 comprisesa remote access authorisation functionality 103 for the protection ofthe subscription module against unauthorised access to the sensitivesubscription information and services on the module. The remote accessauthorisation functionality 103 provides functionality for theauthentication of different RAA Clients, such that only an authorisedRAA client is allowed to get access to the subscription module 102. Theauthentication procedure may be based on a symmetric key mechanism, apublic key mechanism, or the like. Two embodiments of such mechanismswill be described in greater detail in connection with FIGS. 5-6.Preferably, the RAA Client 106 comprises a corresponding remote serverauthorisation functionality 109 allowing the RAA Client 106 toauthenticate different subscription modules. Only an authorised moduleis trusted by the RAA Client. According to the invention, the remoteaccess authorisation functionality 103 and the remote serverauthorisation functionality 109 have a shared secret, or the possibilityof exchanging a shared secret key, used to authenticate and/or protectthe connection between the RAA Client 106 and the subscription module102. The connection between the RAA client 106 and the subscriptionmodule 102 is encrypted end-to-end. The key used for the encryption iseither fixed or, preferably, derived from the shared secret at eachconnection set-up. The communication between the RAA client and thesubscription module may further be integrity protected end-to-end usinga key derived from the shared secret. Furthermore, the subscriptionassociated wit the subscription module 102 may have one or more PINcodes associated with it. Each of these PIN codes may be associated withaccess restriction to the data and services on the module.

[0058] Hence, it is an advantage of the invention that it providesprotection of the connection and authentication of the RAA Client whichaccesses the subscription module over an air interface. If Bluetooth isused, build-in Bluetooth authentication and encryption can protect theair interface as the Bluetooth baseband security mechanism (BluetoothSpecial Interest Group, “Baseband Specification”, Specification of theBluetooth System, Core, Version 1.1, Dec. 1, 2000) allows fastauthentication and encryption between two Bluetooth modules. However,this is only realised on the link level between two Bluetooth radiounits and, hence, this is not an end-to-end solution with thesubscription module at one end and the RAA Client at the other. Hence,it is an advantage of the invention that it provides authentication andencryption end-to-end between the subscription module and the terminalwhere the RAA client resides.

[0059] It is noted that, in one embodiment, the subscription module 102may regard the RAA Server 101 as a trusted proxy. In this scenario,access control may still be realised by the subscription module 102 orit may be delegated to the processing unit 105 of the RAA Server.

[0060]FIG. 2 shows a schematic view of a subscription module accordingto an embodiment of the invention. The subscription module 102 comprisesa processing unit 201 and memory 202 which may be divided into a ROMsection 203, an EPROM section 204 and a RAM section 205. Thesubscription module further comprises an input/output interface 206 forcommunicating with the device it is inserted in. For example, thesubscription module may be a smart card which may be removably insertedin the server communications terminal, e.g. a SIM card in the context ofa GSM network. According to the invention, the subscription module isadapted to provide remote access security functionality 103 forprotecting access to data stored in the memory 202 and the functionalityof the processing unit 201. The processing unit 201 is adapted toprovide a number of security functions 103 a, e.g. as part of thesoftware executed on the processing unit or implemented in hardware. Theremote access security functions 103 a have access to one or more keycodes 103 b-d of a key based authentication mechanism stored in thememory 202 of the subscription module. The key(s) may be stored in theROM section 203, the EPROM section 204 and/or the RAM section 205,depending on the authentication mechanism and the lifetime of thekey(s). For example, a temporary key used only for a single session maypreferably be stored in the RAM section, while a permanent key may bestored in the ROM section. In a mechanism involving multiple keys,different keys may be stored in the same or in different sections.

[0061]FIG. 3 shows a schematic view of a modular server communicationsterminal according to an embodiment of the invention. The servercommunications terminal comprises a base module 301 with a subscriptionmodule 302 according to the invention. The base module 301 providesinterfaces 304 and 306 to a user interface module 308 and a radiointerface module 305. The user interface may provide a display forproviding a graphical user interface and/or a keypad, a pointing device,or the like. The radio interface unit may comprise a radiotransmitter/receiver and an aerial for connecting to a cellular network,a short-range radio transceiver and/or other wireless interfaces. Theinterfaces 304 and 306 may be implemented as plug-in interfaces, e.g.using a standard such as USB or the like. Alternative, the interfacesmay be contact-free interfaces e.g. based on electromagnetic radiation,such as infrared or a radio link, e.g. using the Bluetooth technology orother short-range wireless communications technologies. The datacommunication via the interface 304 and/or the interface 306 may use aproprietary or a standard protocol. For example the base module may beimplemented as a smart card, e.g. a smart card having an integratedradio interface. In another embodiment, the base module may beimplemented as a unit providing the interfaces 304 and 306 and includinga subscription module, e.g. as a removably insertable unit, such as asmart card. In a modular architecture as in the example of FIG. 3, anend-to-end authentication and protection of the communication to/fromthe subscription module is of particular importance, as the interfaces304 and/or 306 of the base module are open and, thus, vulnerable forunauthorised access. Therefore, it is an advantage of the invention thatit secures all interfaces when providing remote access to a subscriptionmodule.

[0062]FIG. 4 shows a schematic view of a key table stored in asubscription module according to an embodiment of the invention.According to one embodiment of the invention, the authentication of theclient communications terminal is based on a symmetric authenticationprocedure based on a shared secret. Hence, the RAA Client and thesubscription module need to have a shared secret in order toauthenticate each other and to protect the communication. This sharedsecret may be a long-lived secret key stored in the subscription moduleand the client communications terminal, respectively. Alternatively, theshared secret may be a secret key which is created when needed and whichis valid for a specific time period, for one session, or the like, i.e.it is a temporary shared secret.

[0063] If the shared secret is long-lived it may, for example, beentered into the RAA client by the RAA client user or by an operator. Inthe embodiment of FIG. 2, the entered shared secret may be stored inEPROM section 204 of the memory of the subscription module. The operatormay also send the secret key over the air or by any other means to theRAA client using some dedicated protocol. Preferably, this protocolneeds some additional security mechanism to protect the shared secretwhen transferred over the air. An example of such mechanism isencryption of the channel with an encryption key derived from anothershared secret stored in the RAA client. This key can for example bestored in the RAA client at the time of manufacture. Alternatively, theoperator may pre-configure the subscription module with a long-livedshared secret during the personalisation of the subscription module. Inthe embodiment of FIG. 2, Such a pre-configured shared secret may forexample be stored in the ROM section 205 of the memory of thesubscription module.

[0064] Referring to FIG. 4, a subscription module or a RAA Client mighthave several different shared secrets. One particular shared secret isused to secure the communication with one particular RAA Client orsubscription module respectively. In order to identify the sharedsecret, each shared secret is labelled with a unique identifier. Thisidentifier can be of any kind, but should be unique. If eachsubscription module has a unique ID, it is possible for all RAA Clientsto distinguish between different subscription modules and to know whichshared secret to use for a connection to a particular subscriptionmodule. For example, if the subscription module is implemented as a SIMcard, the International Mobile Subscriber Identity (IMSI) may be used toidentify the subscription module. Similarly, if each RAA Client has aunique ID, it is possible for all subscription modules to distinguishbetween different RAA Clients and to know which shared secret to use fora connection to particular RAA Client. Hence, in the subscriptionmodule, a table 401 may be stored comprising a number of secret keycodes K-1 through K-N together with their corresponding identifiers ID-1through ID-N, respectively. In the embodiment of FIG. 2, the table 401may be stored in the EPROM memory section 204, thereby allowing a userto add, edit, or delete entries in the table, e.g. in order to add a newauthorised client terminal, or in order to delete an old one. Forexample, the keys may be 128 bit symmetric keys.

[0065]FIG. 5 shows a flow diagram of an authentication procedureaccording to an embodiment of the invention based on a symmetric key.Initially, in step 501, a connection is established between the RAAClient and the subscription module. Preferably, this communications linkis a short-range wireless communications link as illustrated by thewireless link 115 in FIG. 1. If the wireless connection uses theBluetooth technology, the connection may be established automaticallywhen the server communications terminal and the client communicationsterminal are brought within each others range of radio coverage, e.g.within a range of a few meters. In a scenario where the servercommunications terminal is a mobile telephone and the clientcommunications terminal is a car phone, the connection may beestablished when the user approaches/enters the car. During or after theconnection establishment, in step 502, the terminal exchange IDs. In thesubsequent step 503, the IDs are used to look up the correspondingshared secret in a table 401 stored in the memory of the subscriptionmodule and in a corresponding table in the memory of the clientcommunications terminal. In step 504, the shared secret is used forauthenticating the client communications terminal by the subscriptionmodule and to authenticate the subscription module by the clientcommunications device. In step 505, a new shared secret is generated andexchanged between the subscription module and the client communicationsterminal. Preferably, this key exchange may be a part of theauthentication procedure. Alternatively, the key exchange is performedafter successful authentication. The authentication and key exchange canbe done in several different ways using well known state of the artsolutions for shared secret based authentication and key exchange, suchas PIN or password based solutions, challenge/response based solutions,a Feige-Fiat-Shamir protocol, a Schnorr protocol, etc., andDiffie-Hellman and related protocols, key exchange using public keyencryption, Kerberos type protocols, etc., respectively. Theauthentication and key exchange may be implemented in hardware or insoftware. In one embodiment, the authentication further requires anapproval by the user of the server communications terminal, therebyfurther increasing the security against misuse or accidental use. Forexample, the user may be required to enter a PIN code indicative of anauthorisation for remotely accessing the subscription module of theserver communications terminal.

[0066] After successful authentication and key exchange, the actual dataexchange between the client communications terminal and the subscriptionmodule may be initiated in step 506. The data exchange may comprise thetransmission of data to and/or from the subscription module, e.g. PINcodes, authorisation codes, identifiers, account numbers, or the like.Preferably, in order to protect the communication between the RAA Clientand the subscription module, all messages sent between the entities areencrypted with a symmetric encryption algorithm. Messages encrypted inthe PRA Client are decrypted in the subscription module. Messagesencrypted in the subscription module are decrypted in the RAA client.The algorithm used to encrypt the messages may be implemented inhardware or software in the RAA client and subscription modulerespectively. Any standard algorithm and procedure can be used, such asthe Data Encryption standard (DES), triple DES (3DES), SAFER+, AdvancedEncryption Standard (AES), RC4, RC5, etc. In order to encrypt themessages the RAA client and subscription module use the new sharedsecret exchanged in step 505. Alternatively, a key derived from theexchanged shared secret may be used. In another embodiment, the sharedsecret used for authentication may also be used for encryption withoutfurther key exchange. However, the generation of an encryption keyprovides a higher level of security.

[0067] Furthermore, in order to further protect the communicationbetween the RAA Client and the subscription module, all messages sentbetween the entities are integrity protected. The messages are protectedwith a symmetric authentication algorithm. A cryptographic message tagis calculated for each message in the RAA Client and checked in thesubscription module. A cryptographic message tag is calculated for eachmessage in the subscription module and checked in the RAA Client. Thesame procedure may be applied in the reverse direction. The algorithmused to calculate the message tag can be implemented in hardware orsoftware in the RAA client and subscription module, respectively. Anystandard algorithm and procedure may be used. The shared symmetric keyused in the integrity protection may be the shared secret exchanged instep 505, or a key derived from that shared secret.

[0068] Alternatively to a long-lived shared secret, e.g. if nolong-lived shared secret exists between the RAA Client and thesubscription module, the RAA Server user may allow a particular RAAClient to temporarily connect to the subscription module in the RAAServer. Then a temporary shared secret between the subscription moduleand the RAA Client needs to be generated. This may be done in severaldifferent ways, for example:

[0069] The RAA Server user enters a shared secret value into the RAAServer. The shared secret is directly transferred to the subscriptionmodule. Then the PAA Client user enters the same secret value into theRAA Client. As a user interaction is required, a high level of securityis achieved.

[0070] The subscription module generates a secret random value. Thisvalue is displayed on the RAA server. The RAA Client user enters thesecret random value into the RAA Client. As a user interaction isrequired, a high level of security is achieved.

[0071] The subscription module sends a secret value directly to the RAAClient. The secret value may be protected using for example encryption.The key used to protect the secret value can be a common key known to aparticular set of RAA Clients and subscription modules.

[0072]FIG. 6 shows a flow diagram of an authentication procedureaccording to an embodiment of the invention based on a public keymechanism. In the initial step 601 a connection between the clientcommunications terminal and the server communications terminal isestablished as described in connection with step 501 of FIG. 5. In step602, the public key of the RAA Client is retrieved by the subscriptionmodule. In order for the subscription module to authenticate andexchange a key with the RAA Client, the subscription module needs accessto one or several trusted public keys that this RAA Client uses. Thesubscription module can obtain the public key(s) in several differentways providing different levels of security. Examples of mechanisms toobtain the public key(s) include:

[0073] The subscription module is pre-configured with a set of trustedpublic keys used by the RAA Clients. Hence, in step 602, thesubscription module may retrieve the public key(s) from its memory, e.g.a ROM or EPROM section of a SIM card as described in connection withFIG. 2.

[0074] The public key(s) of the RAA Client are transmitted to thesubscription module during the connection establishment between thesubscription module and the RAA client. The subscription module truststhe public keys automatically or upon receipt of a user input approvingthe public keys. Hence, in this example, step 602 is performed as a partof the connection establishment in step 601.

[0075] The subscription module requests the RAA Client to transfer thepublic key(s) of the RAA Client during the connection establishmentbetween the subscription module and RAA Client. The key(s) aretransferred to the subscription module, possibly together with a publickey of a trusted third party. The public key(s) of the subscriptionmodule are signed with the private key of the trusted third party.

[0076] The subscription module asks the RAA Client for the public key(s)of the Client at the connection establishment between the subscriptionmodule and RAA Client. The key(s) are transferred to the subscriptionmodule in a digital certificate. An example of a digital certificateformat is the X.509 certificate format.

[0077] The RAA Server user enters at least one or several hash value ofa public keys or digital certificate into the device. The hash value isdirectly transferred to the subscription module. Later, the subscriptionmodule receives one or several digital certificates from the RAA Client.The subscription module hashes the received public key or certificate.If the computed hash value corresponds to the hash value entered by theRAA server user, the subscription module trusts the public key. Thisprocedure can, of course, be applied on multiple keys or certificateseach having their associated hash value.

[0078] Similarly, in order for the RAA Client to authenticate andexchange a key with the subscription module using a public keymechanism, the RAA Client needs access to one or several trusted publickeys belonging to the subscription module. Hence, in an embodiment wherethe RAA client authenticates the subscription module, step 602 furtherincludes the step of retrieving the public key(s) of the subscriptionmodule by the RAA Client. As described above, this may be done inseveral different ways, for example:

[0079] The RAA Client is pre-configured with a set of trusted publickey(s) belonging to the subscription module. Hence, in step 602, the RAAClient retrieves the public key(s) from its memory, e.g. a ROM or EPROM,the memory of a SIM card included in a mobile phone, a WIM cardcomprising public keys and certificates, or the like.

[0080] The RAA Client asks the subscription module for the public key(s)of the module at the connection establishment between the RAA Client andsubscription module. The RAA Client trusts the public key(s)automatically or upon receipt of a user input approving the public keys.Hence, in this example, step 602 is performed as a part of theconnection establishment in step 601.

[0081] The RAA Client asks the subscription module for the public key(s)of the module at the connection establishment between the RAA Client andthe subscription module. The key(s) are transferred to the RAA client,possibly together with a public key of a trusted third party. The publickey(s) of the subscription module are signed with the private key of thetrusted third party.

[0082] The RAA Client asks the subscription module for the public key(s)of the module at the connection establishment between the RAA Client andsubscription module. The key(s) are transferred to the RAA client in adigital certificate. An example of a digital certificate format is theX.509 certificate format.

[0083] The RAA Client user enters one or several hash values of publickeys or digital certificates into the device. Later, the RAA Clientreceives one or several digital certificates from the subscriptionmodule. The RAA Client hashes the received public key(s) orcertificate(s). If the has value(s) correspond to the hash value enteredby the RAA Client user, the public key(s) are trusted by the PAA Client.

[0084] In step 604, the trusted public key(s) related to the RAA Clientare used for the subscription module to authenticate the RAA Client.Similarly, the trusted public key(s) stemming from the subscriptionmodule are used to authenticate the subscription module. In step 605, ashared secret is generated and exchanged between the subscription moduleand the client communications terminal, resulting in a common secret keyfor the client communications device and the subscription module.Preferably, this key exchange may be a part of the authenticationprocedure. Alternatively, the key exchange is performed after successfulauthentication. The authentication and key exchange can be done inseveral different ways using well known state of the art solutions forpublic key based authentication and key exchange, such as PIN orpassword based solutions, challenge/response based solutions, aFeige-Fiat-Shamir protocol, a Schnorr protocol, etc., and Diffie-Hellmanand related protocols, key exchange using public key encryption,Kerberos type protocols, etc., respectively. The authentication and keyexchange may be implemented in hardware or in software. In oneembodiment, the authentication further requires an approval by the userof the server communications terminal, thereby further increasing thesecurity against misuse or accidental use. For example, the user may berequired to enter a PIN code indicative of an authorisation for remotelyaccessing the subscription module of the server communications terminal.

[0085] After successful authentication and key exchange, the actual dataexchange between the client communications terminal and the subscriptionmodule may be initiated in step 506, preferably using a symmetricencryption algorithm, as described in connection with FIG. 5. In orderto encrypt the messages, the RAA client and subscription module use theshared secret exchanged in step 605. Alternatively, a key derived fromthe exchanged shared secret may be used. In another embodiment, theencryption may be based on a public key mechanism, thereby not requiringthe exchange of a shared secret.

[0086] Furthermore, in order to further protect the communicationbetween the RAA Client and the subscription module, all messages sentbetween the entities are integrity protected, as described in connectionwith FIG. 5. The shared symmetric key used in the integrity protectionmay be the shared secret exchanged in step 605, or a key derived fromthat shared secret.

[0087] It is noted that the invention has mainly been described inconnection with a GSM network. However, it is understood that thepresent invention is not limited to GSM networks but may also be appliedto other communications networks, e.g. other mobile telecommunicationsnetworks such as GRPS and 3^(rd) generation networks, such as UMTS.

1. A method of granting a client communications terminal (106) access toa subscription module (102;302) of a server communications terminal(101), the method comprising the steps of establishing (501;601) acommunications link (115) between the client communications terminal andthe server communications terminal; and communicating (506) data relatedto the subscription module between the server communications terminaland the client communications terminal via the communications link;characterised in that the method further comprises the steps ofauthenticating (504;604) the client communications terminal by thesubscription module using a key-based authentication procedure; andinitiating the step of communicating data related to the subscriptionmodule conditioned on a result of the step of authenticating the clientcommunications device.
 2. A method according to claim 1, characterisedin that the method further comprises the step of authenticating thesubscription module by the client communications terminal using thekey-based authentication procedure.
 3. A method according to claim 1 or2, characterised in that the key-based authentication procedure is asymmetric authentication procedure based on a first secret key stored inboth the client communications terminal and the subscription module. 4.A method according to claim 3, characterised in that the step ofcommunicating data related to the subscription module further comprisesthe step of encrypting the data using an encryption key derived from thefirst secret key.
 5. A method according to claim 4, characterised inthat the method further comprises the step of deriving (505) anencryption key from the first secret key.
 6. A method according to anyone of the claims 3 through 5, characterised in that the step ofcommunicating data related to the subscription module further comprisesthe step of integrity protecting the data using a key derived from thefirst secret key.
 7. A method according to claim 1 or 2, characterisedin that the key-based authentication procedure is a public key-basedauthentication procedure wherein the subscription module has access to apublic key related to the client communications terminal.
 8. A methodaccording to claim 7, characterised in that the method further comprisesthe step of authenticating the subscription module by the clientcommunications terminal using the public key-based authenticationprocedure wherein the client communications terminal has access to apublic key related to the subscription module.
 9. A method according toclaim 7 or 8, characterised in that the step of authenticating theclient communications terminal further comprises the step of exchanging(605) between the client communications terminal and the subscriptionmodule a second secret key for use during cryptographic protection ofthe data related to the subscription module communicated between theserver communications terminal and the client communications terminalvia the communications link.
 10. A method according to claim 9,characterised in that the step of communicating data related to thesubscription module further comprises the step of encrypting the datausing an encryption key derived from the second secret key.
 11. A methodaccording to claim 9 or 10, characterised in that the step ofcommunicating data related to the subscription module further comprisesthe step of integrity protecting the data using a key derived from thesecond secret key.
 12. A method according to any one of the claims 1through 11, characterised in that the step of authenticating the clientcommunications terminal further comprises the step of inquiring an inputfrom a user of the server communications terminal indicative of anapproval of the authentication.
 13. A method according to any one of theclaims 1 through 12, characterised in that the step of initiatingcommunicating data related to the subscription module further comprisesthe step of performing a user authorisation based on a PIN code storedon the subscription module.
 14. An arrangement for granting access to asubscription module (102;302) in a communications system, thearrangement comprising a client communications terminal (106) and aserver communications terminal (101) including the subscription module,the client and server communications terminals each comprisingrespective communications means (110,104;305) for establishing acommunications link (115) between the client communications terminal andthe server communications terminal, and for communicating data relatedto the subscription module between the server communications terminaland the client communications terminal via the communications link;characterised in that the subscription module further comprisesprocessing means (103,103 a) adapted to authenticate the clientcommunications terminal using a key-based authentication procedure, andto grant access to the subscription module conditioned on a result ofthe authentication procedure.
 15. An arrangement according to claim 15,characterised in that the communications link is a wirelesscommunications link.
 16. An arrangement according to claim 14 or 16,characterised in that the server communications terminal, thecommunications means of the server communications terminal, and thesubscription module are physically included in a single unit.
 17. Anarrangement according to any one of the claims 14 through 16,characterised in that at least one of the server communications terminaland the client communications terminal is a mobile telephone.
 18. Anarrangement according to any one of the claims 14 through 17, whereinthe respective communications means are Bluetooth transceivers.
 19. Aserver communications terminal (101) comprising a subscription module(102;302) and communications means (104;305) for establishing acommunications link (115) with a client communications terminal (106)and for communicating data related to the subscription module with theclient communications terminal via the communications link;characterised in that the subscription module comprises processing means(103,103 a) adapted to authenticate the client communications terminalusing a key-based authentication procedure, and to grant access to thesubscription module conditioned on a result of the authenticationprocedure.
 20. A client communications terminal (106) comprisingcommunications means (110) for establishing a communications link (115)with a server communications terminal (101) including a subscriptionmodule (102), and for communicating data related to the subscriptionmodule with the server communications terminal via the communicationslink; characterised in that the client communications terminal comprisesprocessing means (109) adapted to perform a key-based authenticationprocedure cooperatively with the subscription module allowing thesubscription module to authenticate the client communications terminaland to grant access to the subscription module conditioned on a resultof the authentication procedure.
 21. A subscription module (102;302) foruse with a server communications terminal (101), the servercommunications terminal including communications means (104; 305) forestablishing a communications link (115) with a client communicationsterminal (106) and for communicating data related to the subscriptionmodule with the client communications terminal via the communicationslink; characterised in that the subscription module comprises processingmeans (103,103 a) adapted to, when the subscription module is inconnection with the server communications terminal, authenticate theclient communications terminal using a key-based authenticationprocedure, and to grant access to the subscription module conditioned ona result of the authentication procedure.
 22. A subscription moduleaccording to claim 21, characterised in that the subscription module isa smart card.
 23. A subscription module according to claim 22,characterised in that the smart card comprises an integrated radiotransceiver.
 24. A subscription module according to claim 21,characterised in that the subscription module is a security modulecomprising a removably insertable smart card.